Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roydel
New Contributor

newbie needs help with 200f configuration

I was given a 200f to familiarise my self with until it gets moved to a site, set up ,and registered. I was given a basic list of things to try and accomplish with it while I had it and I've gone as far as my limited knowledge can take me. I will have nothing to do with this device once it leaves my care where it will be factory reset. I was essentialy given it to probe wether or not I can broaden my responsibility range. If there is anyone willing to help a guy grow his knowledge, any help is appreciated. I'll list everything I've done below. maybe yall can spot some things I've done wrong. I was told not to register it so calling tech support is not an option. Any help is appreciated, just desperately trying to learn while I have this short window of opportunity.

 

Things to do: Access GUI, Connect to internet(stuck here), only allow http and https, web filter only allowing google, SSL VPn to firewall, L2TP to firewall.

 

For topology I have an ISP supplied router and hub with a PC connected to ethernet port 1 and the fortigate 200f on ethernet port 3. Then a laptop connected to the console and port 1 on the fortigate with ethernet on port 15.

 

For network I have:

Interfaces:

 

lanswitch ports 1-14; Type hardware switch; Addressing mode is manual IP/Netmask 10.1.1.1/255.255.255.0; Create address object matching subnet ON; Secondary ip OFF; Ipv4 enabled https http ssh ping; Receive and transmit LLDP use vdom settings; DHCP ON with address range 10.1.1.100-10.1.1.254 and netmask 255.255.255.0 ; Default gateway SPECIFY 10.1.1.5 ; DNS server same as system DNS

 

port15(internet): physical interface; role is WAN; Addressing mode DHCP connected 192.168.1.169/255.255.255.0 ; Aquired DNS and default gateway 192.168.1.1 ; Retrieve gateway from server is ON; Distance is 5; Override internal DNS is ON; IPv4 enabled are https http ssh and ping; receive LLDP is ENABLED; outbound shaping profile is OFF;

 

Static route: Destiantion Subnet 0.0.0.0/0.0.0.0 ; Gateway address specify 192.168.1.1 ; interface port15(internet); distance 10; Status enabled;

 

For Policies I have a single firewall policy: Incoming interface Lanswitch; Outgoing interface port15(internet);

 

Source is: IP/netmask 10.1.1.0 / 255.255.255.0 ; Interface ANY; Static route configuration OFF; Destination(all) 0.0.0.0 / 0.0.0.0

 

Schedule ALWAYS; Service ALL; Action ACCEPT; Inspection mode FLOW based; NAT ON; IP pool config use outgoing interface address; perserve source port off; protocol options default; antivirus ON; web filter OFF; DNS filter OFF; application control default; SSl inspection certificate inspection; log allowed traffic security events; enable this policy ON;

2 REPLIES 2
sjoshi
Staff
Staff

Dear Roydel,

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-

newbie needs help with 200f configuration
 
Please follow the article below for the initial configuration of FortiGate
 

Let us know if this helps.

Thanks

Salon Raj Joshi
ede_pfau
SuperUser
SuperUser

Hi Roydel,

first off, your config looks good.

There are a few minor points which I would like to mention:

1- on your LAN, you hand out the wrong gateway to your clients. GW is 10.1.1.1 (the FGT), you specify 10.1.1.5.

2- routing: checked. Client routes to 10.1.1.1, FGT routes to 192.168.1.1, router routes to ISP. This will work.

3- Outbound traffic does not need NAT here, because the FGT is not a border router. Your other router will do NAT.

4- firewalling: checked. FGT knows about the LAN subnet ("directly connected"), and the transfer network to the router (same, "d.c."). Otherwise, the FGT will drop incoming traffic from a subnet it doesn't have a route to! This is called "reverse path fail" (Google is your friend).

5- policy: I take it that you described the source address object, not the policy. "Interface: any" in address object is not only correct, but recommended. "Interface: any" in a policy is a NO-GO! Technically, you can use a wildcard interface here but if you do, you will get yourself in trouble real soon. Please avoid if possible.

6- IIRC, one demand was to only allow outbound HTTP, HTTPS. You allow "service: ALL".

7- similar with UTM services: WF only demanded, WF is OFF but AV, AC is ON.

Yes, in real life, you would always use an AV protection, so YMMV.

 

So, task remaining are:

- get internet access going

- create an SSLVPN

- create a L2TP VPN (ouch!)

 

If internet access doesn't work, use the FGT CLI and ping some host (8.8.8.8). This way, you gather info whether access does work for some devices, or not at all.

ping 192.168.1.1 first, your router needs to answer this.

 

SSLVPN is mainly set up in "VPN > SSLVPN > Settings". If you use port 443 for SSLVPN, you cannot manage the FGT via WAN port (port15) anymore. Which might/might not be your plan.

Creating a VPN will always create a new, virtual interface. You need at least one policy from SSLVPN to your LAN for access.

Think about how to authorize your users. The easiest way is to create local users on the FGT. But, on full scale, you would connect the FGT to your MS-AD (=LDAP server) and use the existing user entries.

 

L2TP is ancient, insecure and only employed if absolutely necessary. Read up in the Admin Guide on how to set this up. Mainly it's one in the CLI (command line).

 

If you have further questions I'm confident everybody here on the forum will be glad to help you. We all have started with absolutely no plan.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors